Small business owners frequently assume that hackers have little interest in attacking their organizations - "after all," they reason, "what data do I have that a hacker could consider valuable?"
They are terribly wrong.
In fact, today, about half of all cyberattacks target small businesses.
This point was stressed by Michael Kaiser, Executive Director of the National CyberSecurity Alliance, at a presentation last week at the NASDAQ (Note: I attended the event and spoke with many experts - I'll be discussing highlights in a separate article), who noted that because small business owners frequently hear news reports about huge data breaches like those that happened at Yahoo, they may incorrectly assume that hackers only pursue companies with huge volumes of valuable data; such a notion is simply not true.
The increase in "targeting the little guy" began several years ago - I discussed it back in 2011 when the number of small business hacks was growing, but still likely represented less than a fifth of all attacks - today, however, the number is somewhere just shy of 50% -- with the actual figures varying slightly between studies. Furthermore, the trend towards targeting small businesses is likely to continue - small businesses have become, in the eyes of many hackers, more attractive targets than larger enterprises. Here are some of the reasons:
1. Small business owners pay ransoms.
Nearly every small business has computer-based data that it needs in order to operate, and few have the capability to independently recover from a ransomware attack, so small business owners are likely to pay ransoms if hackers encrypt critical data and demand money to restore access to it.
2. Small businesses have valuable data.
Contrary to many people's perceptions, the majority of small businesses store either financial information that can be used for fraud, or personal details that can be used for identity theft - i.e., they have data that criminals want.
3. Small businesses provide hackers access into larger enterprises.
Small businesses supply larger enterprises with goods and services - information gleaned from small business systems may be a hacker's golden ticket into a larger enterprise. The massive Target breach of just a few years ago, for example, began when a hacker exploited the access that the retail giant provided to an HVAC contractor.
4. Small businesses can provide hackers access into many other small businesses.
Small businesses often use services from other small business - and those offerings may not be secure. In some cases, competing small businesses may even utilize the same service from the same provider - which, can lead to all sorts of security problems.
5. Small businesses often lack adequate cyber-defenses.
Small businesses rarely have the defenses that large businesses have - so while the reward to a hacker may be smaller if he or she breaches the "little guy" than if he/she hacked a major corporation, the odds of actually achieving a reward are often much greater. To put it simply, smaller businesses are frequently much easier to hack than larger enterprises. This sentiment was echoed last week by Maureen Ohlhausen, the Acting Chairman of the Federal Trade Commission, at the aforementioned NCSA event; Ohlhausen noted that, as a result of their frequent inability to deal with attacks, small businesses may actually be in greater cyber-danger than larger enterprises.
6. It is likely a lot easier to get away with hacking a small business than a large enterprise.
Small businesses are far less likely to have security personnel and technology in place to detect an attack as it occurs, and are less likely to have technology creating and protecting audit logs and other data needed to both perform forensic analysis and establish admissible evidence. As a result, someone attacking a small business is much less likely to get caught, arrested, and punished than someone who attacks a large business. Criminals know this - and some who would never risk trying to attack Amazon.com, for example, might have no qualms about trying to hack a mom-and-pop retail outlet. The likelihood-of-being-brought-to-justice imbalance is further exaggerated by larger firms having much greater political clout and access to law enforcement than smaller businesses, coupled with the fact that small businesses are far more likely to fail as the result of a breach - meaning that some folks who might otherwise have pursued legal action against hackers simply do not have the time and resources to do so, or may "move on" to other jobs and not "dwell on the past."
So, if you own, run, or work at a small business, be prepared.
Some great tips can be found in the article: 13 Tips to Achieve Great Cybersecurity Without Spending a Fortune.